X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pveproxy.adoc;h=bfd34aa0e163c960458436a34f76f402f88ba20d;hp=125484f5118620625c4dc3954d336b609ba26a79;hb=9e8f2770b0b2e65938a2f543f861e88a57305000;hpb=96f2beeb13548b0a3f86b62548809cea3be488c3 diff --git a/pveproxy.adoc b/pveproxy.adoc index 125484f..bfd34aa 100644 --- a/pveproxy.adoc +++ b/pveproxy.adoc @@ -20,19 +20,91 @@ endif::manvolnum[] ifndef::manvolnum[] {pve} API Proxy Daemon -================ +====================== include::attributes.txt[] endif::manvolnum[] This daemon exposes the whole {pve} API on TCP port 8006 using -HTTPS. It runs as user 'www-data' and has very limited permissions. +HTTPS. It runs as user `www-data` and has very limited permissions. Operation requiring more permissions are forwarded to the local -'pvedaemon'. +`pvedaemon`. -Request targeted for other nodes are automatically forwarded to that -node. This means that you can manage your whole cluster by connecting +Requests targeted for other nodes are automatically forwarded to those +nodes. This means that you can manage your whole cluster by connecting to a single {pve} node. +Host based Access Control +------------------------- + +It is possible to configure ``apache2''-like access control +lists. Values are read from file `/etc/default/pveproxy`. For example: + +---- +ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" +DENY_FROM="all" +POLICY="allow" +---- + +IP addresses can be specified using any syntax understood by `Net::IP`. The +name `all` is an alias for `0/0`. + +The default policy is `allow`. + +[width="100%",options="header"] +|=========================================================== +| Match | POLICY=deny | POLICY=allow +| Match Allow only | allow | allow +| Match Deny only | deny | deny +| No match | deny | allow +| Match Both Allow & Deny | deny | allow +|=========================================================== + + +SSL Cipher Suite +---------------- + +You can define the cipher list in `/etc/default/pveproxy`, for example + + CIPHERS="HIGH:MEDIUM:!aNULL:!MD5" + +Above is the default. See the ciphers(1) man page from the openssl +package for a list of all available options. + + +Diffie-Hellman Parameters +------------------------- + +You can define the used Diffie-Hellman parameters in +`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file +containing DH parameters in PEM format, for example + + DHPARAMS="/path/to/dhparams.pem" + +If this option is not set, the built-in `skip2048` parameters will be +used. + +NOTE: DH parameters are only used if a cipher suite utilizing the DH key +exchange algorithm is negotiated. + + +Alternative HTTPS certificate +----------------------------- + +By default, pveproxy uses the certificate `/etc/pve/local/pve-ssl.pem` +(and private key `/etc/pve/local/pve-ssl.key`) for HTTPS connections. +This certificate is signed by the cluster CA certificate, and therefor +not trusted by browsers and operating systems by default. + +In order to use a different certificate and private key for HTTPS, +store the server certificate and any needed intermediate / CA +certificates in PEM format in the file `/etc/pve/local/pveproxy-ssl.pem` +and the associated private key in PEM format without a password in the +file `/etc/pve/local/pveproxy-ssl.key`. + +WARNING: Do not replace the automatically generated node certificate +files in `/etc/pve/local/pve-ssl.pem` and `etc/pve/local/pve-ssl.key` or +the cluster CA files in `/etc/pve/pve-root-ca.pem` and +`/etc/pve/priv/pve-root-ca.key`. ifdef::manvolnum[] include::pve-copyright.adoc[]